CVE-2014-6392

Name of the Vulnerable Software and Affected Versions Facebook app version 14.0 Facebook Messenger app version 10.0

Description A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted filename extension that is improperly handled during MIME sniffing of chat traffic. The vendor disputes the significance of this report, citing that the user must accept an interstitial warning before the HTML file content is rendered, and the HTML content's origin is a sandbox domain.

Recommendations For Facebook app version 14.0, consider disabling the rendering of HTML file content from chat traffic until a patch is available. For Facebook Messenger app version 10.0, restrict the handling of crafted filename extensions to minimize the risk of exploitation.